Created some playbooks, a master playbook file, and a vars directory

playbooks/admin_login.yml

@@ -0,0 +1,17 @@
+---
+- hosts: servers4 # @NOTE for IPv6, switch to 'servers6' instead of 'servers4'--for both, 'servers'
+  vars_files:
+    # - vars/ssh_keys_vault.yml
+    - vars/ssh_keys.yml
+  vars:
+    ansible_ssh_private_key_file: "{{ chosen_native_ssh_private_key_file | default(chosen_local_ssh_private_key_file, true) }}"
+  tasks:
+    - name: Disable shell access for root
+      ansible.builtin.include_role:
+        name: lockdown
+        defaults_from: main
+        vars_from: main
+        handlers_from: main
+        tasks_from: deshell
+        apply:
+          become: yes

playbooks/group_vars/servers/main.yml.example

@@ -0,0 +1,7 @@
+---
+passwords:
+  - username: senpai
+    password: "{{ vaulted_passwords.senpai.password }}"
+ansible_user: "{{ passwords[0].username }}"
+local_ssh_private_key_files: [] # @NOTE list paths to SSH private keys
+chosen_local_ssh_private_key_file: "{{ local_private_key_files | random }}"

playbooks/manage_root.yml

@@ -0,0 +1,16 @@
+---
+- hosts: servers4 # @NOTE for IPv6, switch to 'servers6' instead of 'servers4'--for both, 'servers'
+  remote_user: root # MUST be run as root
+  roles:
+    - lockdown
+  # tasks:
+  #   - name: Set up sys-admin account on VPS and secure VPS
+  #     ansible.builtin.include_role:
+  #       name: lockdown
+  #       defaults_from: main
+  #       vars_from: main
+  #       handlers_from: main
+  #       tasks_from: main
+  #     tags:
+  #       - init
+      

playbooks/master.yml

@@ -0,0 +1,5 @@
+---
+- name: Lock down VPS
+  ansible.builtin.import_playbook: manage_root.yml
+- name: Disable shell for root
+  ansible.builtin.import_playbook: admin_login.yml

playbooks/vars/ssh_keys.yml

@@ -0,0 +1,4 @@
+---
+native_ssh_private_keys: "{{ vaulted_native_ssh_private_keys }}"
+native_ssh_private_key_files: []
+chosen_native_ssh_private_key_file: "{{ native_ssh_private_key_files | random }}"